3 Best Practices for a Layered Cybersecurity Program

As the circumstances surrounding WannaCry, Petya/Goldeneye, the Shadow Brokers and exposed voters’ records have shown, cybersecurity events continue to cripple companies no matter their size or industry.

Although cybersecurity is both broad and complex, some best practices can help prevent hackers from successfully infiltrating your customers’ operations. A mature cybersecurity program relies on a layered security approach — meaning that no single control is the only source of protection for a corporate asset. Three controls that make up a layered security approach are secure password practices, multi-factor authentication and security awareness training.

Secure password practices

For many people, it’s difficult to remember unique, complex passwords for every website — a complication that leads to password reuse. Unfortunately, cyber criminals recognize this as a normal occurrence. When your credentials are compromised on one site, they will take that username and password and try it other places, with success.

As a solution, use a password manager tool. These services ask you to remember one master password and, through a browser extension, will automatically log you in to all of the websites you visit using a longer, more complex password that you don’t need to know. What’s the advantage? If a company, such as your bank, is compromised, the stolen password only allows access to your bank and nowhere else.

Steps to multi-factor authentication

Multi-factor (or two-factor) authentication (MFA or 2FA) is more straightforward than how it may initially seem. MFA is a combination of two of these three factors:

1. – Something you know: a piece of information that you have memorized, such as a password.

2.- Something you have: Historically, this was a physical token that displays a 6-digit number, which changed every 30 seconds. Today, this method uses app on a user’s smartphone. In either case, it is not necessary for the owner to memorize the multi-digit code, provided that they have the device or app with them when logging in.

3.- Something you are: biometrics, such as a smartphone’s built-in fingerprint reader.

When MFA is used, it becomes much more difficult for an attacker to gain unauthorized access to an account. Not only would he or she need to steal your password, but the criminal would also need to physically steal, or hack into, your token device or biometric data, both of which are far more difficult tasks. An additional best practice is to use MFA on all remote connectivity, and for any activity requiring administrator-level access.

Creating security awareness

Your customers can be their companies’ strongest security assets or weakest links. Employees who click on malicious links and open attachments can easily bypass other cyber protections. Phishing attacks, situations in which an employee receives a legitimate-appearing, but actually malicious email, are one of the top causes of data breaches.

Ten years ago, phishing attacks came from a “Nigerian prince” and were easy to identify. These days, attacks are much more sophisticated and are timed with current events, such as business transactions or the April 15 tax day. Attackers also will take time to create “spear phishing” attacks, in which a specific person or company is targeted. Spear phishing uses information from a user’s LinkedIn page or other social media accounts to appear plausible.

Your customers should regularly conduct security awareness training for employees. Training should include regular communications on current security events and in-house phishing campaigns performed on a frequent basis. The in-house campaigns test employees with seemingly realistic phishing emails that, thankfully, are anything but.

Criminals will always be thinking of new ways to attack businesses and consumers, which forces businesses to constantly evolve their cybersecurity practices. It is only through constant vigilance that we can continue to protect ourselves in this ever-escalating environment.

Nick Graf serves as Consulting Director of Information Security for CNA’s Risk Control unit. He can be reached by sending email to Nickolas.Graf@cna.com.